Choose your tier
Pick the option that matches your family, individual device, or organization. We’ll show the right setup links.
light_mode
“Set your minds on things above.” — Colossians 3:2 (NET)
Scripture-rooted DNS filtering
Faithful internet protection for families, individuals, churches, ministries, schools, and businesses.
GraceDNS keeps families centered, equips individuals, and steadies churches, ministries, schools, and businesses through prayerfully maintained block lists you can adopt in under a minute.
We never log requests; every lookup travels through encrypted channels so devotion and study stay private.
family_restroom
Families
Point your router so every phone, tablet, and TV follows the same Christ-centered guardrails.
person
Individuals
Missionaries, students, and travelers can protect a single device with a quick DNS change.
church
Churches
Volunteers shield sanctuaries, offices, and streaming rooms without an IT staff.
groups
Ministries
Outreach and media teams keep dedicated ministry machines on the same Scripture-shaped filter.
school
Schools
Classrooms, labs, and co-op carts get the right tier without extra subscriptions.
apartment
Businesses
Small businesses run stable, distraction-free networks with our trusted DNS.
Our calling
Guarding hearts and screens through prayerful DNS
GraceDNS keeps families centered on Philippians 4:8, equips individuals, and supports churches, ministries, schools, and businesses by pruning harmful domains so every screen can worship, study, and work without noise.
family_restroom
Families
One tier on the router brings every phone, tablet, and TV under the same Christ-centered guardrails.
person
Individuals
Believers on mission, at school, or on the road can protect a single device with a quick DNS update.
church
Churches
Volunteers secure sanctuaries, offices, and livestream rooms without needing an IT staff.
volunteer_activism
Ministries
Outreach and media teams keep dedicated ministry machines on the same Scripture-shaped filter.
school
Schools
Classrooms, labs, and co-op carts get the right tier without extra subscriptions.
apartment
Businesses
Small business networks stay focused and protected with the DNS we rely on every day.
Paths for every household
Four tiers shaped by Scripture
Pick the tier that matches your convictions and copy either the DNS-over-HTTPS (DoH) address or the DNS-over-TLS (DoT) hostname. Once saved, every request routes through GraceDNS automatically.
Every tier is tuned to avoid needless breakage—Sinai, Zion, and Glory differ mostly in how aggressively they strip trackers, ads, and telemetry. Our developers even run Glory full time so we can spot and fix issues quickly.
Sinai is our most recommended tier: it balances compatibility and safety, keeping SafeSearch and basic ad/tracker removal active while avoiding the extra breakage that can follow the higher tiers.
Eden
Focuses on blocking inherently malicious destinations like phishing, malware, and fraud while letting everyday browsing continue with minimal interruption.
- Stops malicious, misleading, and phishing domains
- Quietly thins out basic tracking and scam ads
- Keeps breakage minimal for general-purpose devices
Blocks — domains
Blocks — TLDs
Covers — categories
Allowlist exceptions: —
lock
Most private option—enter this whenever a device supports DNS-over-HTTPS.
dns
Private fallback for gear that asks for a TLS hostname or Android Private DNS entry.
language
Primary IPv4
language
Secondary IPv4
Not encrypted—use only if DoH and DoT are unavailable on that device.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
| Malware & phishing | ✅ |
| Explicit & gambling | ❌ |
| SafeSearch enforcement | ❌ |
| Ads & tracking | ❌ |
| Telemetry & referrals | ❌ |
Sinai
Built for general households, enforcing SafeSearch and explicit/gambling protections while trimming trackers gently so most devices keep running without extra breakage.
- Adds explicit, gambling, and occult block lists
- Stops most proxy, VPN, and illicit download sites
- lock Forces SafeSearch on every major engine
- Engineered for family devices with very low breakage risk
Blocks — domains
Blocks — TLDs
Covers — categories
Allowlist exceptions: —
lock
Preferred Sinai endpoint; use it whenever a platform lets you paste a DoH URL.
dns
Second choice—encrypted via TLS for clients that only accept hostnames.
language
Primary IPv4
language
Secondary IPv4
Unencrypted legacy service; rely on it only when secure DNS cannot be configured.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
| Malware & phishing | ✅ |
| Explicit & gambling | ✅ |
| SafeSearch enforcement | ✅ |
| Ads & tracking | ✅ |
| Telemetry & referrals | ❌ |
Zion
Almost as strict as Glory but tuned to break less. Zion removes wide ad and tracker systems while still letting most services run, though a few streaming apps may need allowances.
- Removes aggressive ad and tracking networks
- Quiets push-notification and telemetry systems
- Balances chapels and classrooms with fewer breaks than Glory
Blocks — domains
Blocks — TLDs
Covers — categories
Allowlist exceptions: —
lock
Best privacy for Zion—browsers and apps should use this DoH URL whenever possible.
dns
Use this TLS hostname when devices rely on Apple profiles or Android Private DNS instead of raw URLs.
language
Primary IPv4
language
Secondary IPv4
Legacy IPv4 stays unencrypted; reach for it only if secure DNS settings are missing.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
| Malware & phishing | ✅ |
| Explicit & gambling | ✅ |
| SafeSearch enforcement | ✅ |
| Ads & tracking | ✅ |
| Telemetry & referrals | ✅ |
Glory
Our strictest tier strips almost every tracker, referral, and analytics feed. Choose Glory when you need the most aggressive filtering, but use it with caution—smart TVs, streaming apps, or telemetry-heavy devices may need allowances.
- Sweeps almost every known tracker and referral service
- We run Glory daily; most apps stay usable but a few may still need allowances
- Designed for networks that can tolerate occasional breakage
Blocks — domains
Blocks — TLDs
Covers — categories
Allowlist exceptions: —
lock
Strongest privacy—always start with this Glory DoH link.
dns
Second-best, encrypted via TLS; point Apple/Android Private DNS profiles here when DoH cannot be set.
language
Primary IPv4
language
Secondary IPv4
Last resort because traffic is unencrypted—use only if the secure options truly cannot be configured.
Works for iPhone, iPad, and Mac (including iMac and MacBook).
| Malware & phishing | ✅ |
| Explicit & gambling | ✅ |
| SafeSearch enforcement | ✅ |
| Ads & tracking | ✅ |
| Telemetry & referrals | ✅ |
Tier insights
Fresh block stats for every tier
These counts show how many domains each tier blocks whenever a fresh build is released, so you can quickly compare the coverage on any given day.
Eden
—
domains blocked
— categories tracked
— TLDs blocked
Allowlist exceptions: —
Sinai (recommended)
—
domains blocked
— categories tracked
— TLDs blocked
Allowlist exceptions: —
Zion
—
domains blocked
— categories tracked
— TLDs blocked
Allowlist exceptions: —
Glory
—
domains blocked
— categories tracked
— TLDs blocked
Allowlist exceptions: —
Updated — · Git —
Guides for every device
Set up GraceDNS in minutes
Every major platform already understands secure DNS. Copy the DoH URL or DoT hostname for your tier, follow the short guide below, and your devices immediately inherit GraceDNS protections.
phone_android
Android (Private DNS / DoT)
- Open Settings → Network & internet (or Connections).
- Choose Private DNS.
- Select “Private DNS provider hostname”.
- Enter your tier’s DNS-over-TLS name (example:
sinai.gracedns.org) and tap Save.
Older phones may need a trusted DNS app from the Play Store. Choose one that lets you paste the DNS-over-HTTPS URL.
phone_iphone
iPhone & iPad
- Tap the Install Apple profile button for your tier.
- Choose
Allow
when Safari asks to download the profile. - Open Settings → Profile Downloaded.
- Install the profile and enter your passcode if prompted.
- GraceDNS activates instantly; install another profile to switch tiers.
iPhone and iPad trust these profiles system-wide, so every app follows the tier you select automatically.
laptop_mac
Mac (MacBook / iMac)
- Open System Settings → Network, choose your active interface, and click Details (or Advanced).
- Switch to the DNS tab and add the two GraceDNS IPv4 addresses for your tier.
- Ensure those addresses sit at the top of the list so macOS prefers them.
- To move to another tier, swap the IPv4 entries for the new tier’s numbers.
This keeps every Mac device routing DNS through GraceDNS without requiring profiles.
laptop_windows
Windows 10/11
- Open Settings → Network & internet and pick your active connection.
- Click Edit under DNS server assignment, choose Manual, and enable IPv4.
- Enter the GraceDNS IPv4 addresses for your tier.
- If Windows offers DNS encryption, set “Preferred DNS encryption” to
Encrypted only (DNS over HTTPS)
so the same addresses use DoH.
Older builds without DoH support will still honor those IPv4 entries without encryption.
router
Home routers
- Open your router dashboard (address is usually printed underneath).
- Locate the DNS or Internet settings area.
- Paste the GraceDNS IPv4 addresses or DoH/DoT hostname.
- Save. Every device on that network now follows your tier.
Keep another tier handy in case certain smart devices need less aggressive filtering.
school
Chromebooks & shared devices
- In the Google Admin console, go to Devices → Chrome → Settings for Devices.
- Find the Secure DNS section, choose a custom DoH template, and paste your tier’s DoH URL.
- Apply that policy to the organizational units that need protection.
- Sync devices so the template pushes down; personal Chromebooks can still set DNS manually if necessary.
Perfect for schools, co-ops, libraries, and multiuser carts.
We test Glory daily to keep it usable, but it is still the strictest tier—keep Sinai or Eden nearby for devices that must stay flexible.
Anchored in Scripture
“Guard your heart with all vigilance.”
“Guard your heart with all vigilance, for from it are the sources of life.”
Proverbs 4:23 fits our mission: keep the life-giving spring clean so everything downstream stays pure. That is why we block sites that draw hearts away from Christ or delight in sin.
Proverbs 4:23 (NET)
Shared stewardship
GraceDNS stays free when the Church carries it together
GraceDNS is community-supported. Families may share $15/year, individuals $5/year, and schools $3/student/year; give whatever fits. We stay free for households and individuals. If you are not an individual or family but would like to support us, reach out and we can send a formal invoice for churches, ministries, schools, or businesses.
Funds new block lists
Keeps fast, redundant servers
Strengthens families and ministries
GraceDNS is not a 501(c)(3), so gifts are not tax-deductible and cannot be refunded. Stripe emails a receipt instantly.
Request a support invoiceNeed guidance?
Questions we hear most
How do the tiers differ?
Eden blocks obvious harm and scams. Sinai adds explicit, gambling, and piracy protections with SafeSearch. Zion removes wide ad networks and tracking. Glory blocks nearly every telemetry feed and sometimes needs special allowances.
Will the stronger tiers break sites?
Every tier is tuned to avoid needless breakage, but the more we block, the higher the chance something relies on it. Zion may occasionally pause notification-heavy apps, and Glory might need an allowlist entry. Our team runs Glory all day so we can fix problems quickly; keep Sinai or Eden handy for anything urgent.
Where should families begin?
Most households start with Sinai for firm protection and minimal breakage. Use Eden for work devices that must remain flexible. Reserve Zion for quiet spaces and Glory for supervised stations.
Do you log what I browse?
We only capture the information needed to answer DNS requests. Short-lived troubleshooting logs may include anonymized network data (for example, IPv4 addresses masked to 123.123.123.xxx), and are deleted once we resolve technical issues. We never sell data or build marketing profiles, and every lookup travels over encrypted transport.
How do I switch tiers later?
Replace the DoH/DoT endpoint in your settings or install a new profile. Most devices adopt the new tier within seconds.
Is GraceDNS only for churches?
No. Families and individuals come first, and we gladly serve churches, ministries, schools, and businesses that want Christ-honoring filtering.
Troubleshooting
Check what each tier returns
Enter a domain and we’ll send DoH queries to Eden, Sinai, Zion, and Glory so you can see which tier the filter blocks and whether we issue SafeSearch redirects.
Eden
Waiting
Enter a domain to start.
Sinai
Waiting
Enter a domain to start.
Zion
Waiting
Enter a domain to start.
Glory
Waiting
Enter a domain to start.
Covering details
GraceDNS is shepherded by Ole Brook Web Services
Ole Brook Web Services in Mississippi builds practical tools for families, churches, ministries, schools, and small businesses. We built GraceDNS first to serve Christ; along the way it became the default DNS we use to protect every Ole Brook Web Services client network, and we are humbled to offer that same protection freely to the wider Body.
Visit olebrookwebservices.com